Hey Lets be “Friends”: Why Police Need to be Careful with Personal Cell Phones

Well it happened again. You know what we are talking about. A police officer either issues a ticket or arrests someone, and the suspect concludes it is a good idea to go to Facebook and make a threat against the officer.  This time it happened in Jackson County, MI, when Joey Jason Holliman allegedly posted a threatening message on Officer Michael Strickland’s timeline shortly after being ticketed Wednesday.

We don’t know how Holliman located Officer Strickland’s profile.  It may be that Officer Strickland didn’t set his privacy settings properly. For instance, he may have allowed search engines to index his profile, a feature that can be turned off rather easily.

But then again it might not have anything to do with the settings. Let us explain. About two weeks ago, I started seeing individuals appear in my suggested friends page that should not be there. For instance, offenders that I supervised and had sent to prison. Todd and I discussed how this might happen. We ruled out that I had searched for them with my profile or I had their telephone number in my personal address book.  I theorized that they may have searched for me. Even though they couldn’t find me as my privacy setting was locked down, Facebook, thought I might want to connect with them, so it suggested them as possible “friends.” How helpful! (We haven’t ruled that theory out yet.)

However, it appears there is another possibility that is even more troubling. If two Facebook users connect to Facebook from the same IP subnet or they are using Facebook on their cell phone from near-overlapping geocodes, the social networking site assumes the users are “friends” or potential “friends.” Yep, you guessed. It then populates the suggested “friends” to both users.  How nice!

In the ticket incident above, if both Holliman and Officer Stickland had cell phones on, with Facebook connecting to the Internet, they would have likely been using an overlapping geocode.  Even if Holliman’s didn’t remember Stickland’s name, Facebook would likely have suggested him as a potential “friend.”

Many of us carry our personal cell phones on our person in the field.  We also have them in our office.   But by allowing Facebook to connect to the Internet from our cell phones, we are exposing ourselves to “friend” suggestions from those we would prefer not know we even have a Facebook profile.  How many times do those of us in law enforcement go into high crime areas with criminals nearby with cell phones on their person? How many times do suspects have cell phones on their person in police waiting areas or outside courtrooms? Do we really want our Facebook profile offered up as a “friend” suggestion to EVERYONE?  Unfortunately, Facebook does not offer restrictions on appearing in “friend” suggestion lists.

It would seem the solution is to turn off one’s geolocation  (Suggestions can be found here). But, this would seem only to limit Facebook from sharing it with other users. This suggestion does not prevent Facebook from gathering your geolocation and using it for its own purposes, such as in suggesting “friends” in the same area.  The really only secure why to stop this is not have Facebook installed on your phone OR at a minimum limiting your cell phone/Internet usage. For instance, turning it on when needed and turning if off when not in use.  This way it is not consistently connected to the Internet, looking for “friends.”  Additionally, limit or eliminate your cell phone/Internet usage in “high “risk” areas, such as where you might run into someone you are going to arrest, are arresting, and/or did arrest. Finally, individuals involved in law enforcement must be continually vigilant to how their personal devices may be inadvertently “leaking” information to other devices in a way that poses a risk to them and their loved ones. Of course, that is really sound advice for all of us, regardless of our occupations. On that note I left a cigar lit somewhere.

Riddle Me this Batman: Doing Google Search Warrants

One of the unique aspects of my “job” is I get to see investigative reports on various cases and how they develop. Recently, I was looking at the investigative efforts of an agency on a child porn case. It was a simple case really. The suspect used a gmail account to send illegal images to a covert account, which also happened to be a gmail account. But I have my questions.

The investigative agency got a search warrant and served it on Google. However, for some reason the matter was not sealed. If one searches the gmail account name you can actually still find the case which references the search warrant, i.e., USA v. actual name of the gmail account.

Yeah, big problem Batman. And guess what? The suspect went missing for a year. First question, why was the search application not sealed in this day in age, particularly on a case seeking a search warrant an email account? I am just guessing but maybe this suspect did a Google search on his email or even had an alert set up to notify him when his email showed up on the web. Hence, the reason he was missing for a year.

Next few questions in this case revolve around the search warrant affidavit and what they were seeking. In this case they only asked for “the email account”, which apparently is all they got. They got email to and from the suspect and their attachments. This was the meat of the issue and showed he sent and received illegal images. However, why didn’t they seek and obtain other aspects of the Google account in their application?

Specifically, they interacted with this suspect via email from another gmail account. Why not have also interacted with him using Google chat function too? It is after all highly likely that this suspect also used Google’s chat service to trade child porn, if not worse. Additionally, what about asking for everything on the Google drive too? I mean, individuals don’t just store data on hard drives now. Why not also explain that law enforcement also needed data from this subject’s Google drive in the search application?

Additionally, individuals often times will search via Google while they are signed into their account. Guess what? Google will frequently have that history saved. Won’t it be good to also have that evidence that subject was searching for these images too?
These last two questions, concerning the Google drive and the search history, become particularly important when we consider that when they found this suspect his computer was long gone. Sure they have the emails messages and attachments sent back and forth. But is it possible that he still has images saved in his Google drive?

Additionally, this suspect initially claimed his account was “hacked.” One way to overcome the “hacked” defense is the person was doing other activity at the time they were looking for porn. For instance, one minute he is looking for an address for a job and the next he is surfing for porn followed by searching for a car part etc. Also, having the IP address from where the account was accessed during the email and browsing sessions would also have been helpful to defeat the hacker defense, particular as they didn’t have the suspect’s computer. Thankfully, he later admitted he was using the account to trade child porn and dropped the hacker defense.

Final question is they apparently never went back and got search warrants for the original Google account and additional email accounts after his admission over a year later. Do we really believe that he only traded child porn for a two month period? With his admission and the evidence already gathered it appears that there would be plenty of probable cause, which wasn’t stale, to get additional search warrants for these accounts. I get that they had plenty of evidence but shouldn’t they make sure they checked these accounts again. We don’t stop searching a building because we found drugs in one room. What if there were more than just additional images in those accounts, such as evidence that he was involved in molesting a child?

Granted I am playing arm chair detective here and they have the guy. My point to all this is we need to start looking at Google as more than just an email service. It is cloud storage provider and in many ways contains as much and maybe more pieces of electronic evidence than a traditional computer. So Batman, what you think? On that note, I left a cigar lit somewhere.

Silk Road 2.0: A Cheap Imitation of the Original

Last week it was announced that law enforcement had again taken down illegal Tor markets. Kudos to law enforcement on their apparent success! Although, they took down several such online market places, the one that caught everyone’s attention was Silk Road 2.0, the heir apparent to the original, shut down a little over a year ago. But has anyone really compared the original Silk Road to 2.0? It appears that 2.0 is a cheap knock off or imitation.

The Original

The first Silk Road was in operation from approximately February 2011 to October 2013, roughly 32 months. It reportedly had total sales of about $1.2 billion, earning $80 million in commissions. It also had over 13,000 in drug listings. When it was initially shut down, 26,000 Bitcoins (BTC) were seized from Silk Road accounts, worth approximately $3.6 million at the time. However, there was also 144,000 BTC, or about $28 million, seized from the purported mastermind. We have little information that it was every hacked, at least to any great extent. We have no information to date its fall was due to an undercover agent working on the inside.

Silk Road 2.0

Silk Road 2.0, operated from about November 2013 to October 2014, roughly about 12 months. One particular month’s sales were noted at $8 million. At a 5% commission, this earned the illegal business about $400,000. However, we can’t say they averaged $8 million a month. In fact, shortly after Silk Road 2.0 start-up it was hacked, losing about $1.5 million in BTC. It reportedly had drug listings of about 14,024. We have information that only about $1 million has been seized at the present time. Finally, the complaint reflects that early on an undercover agent was on board, working with the supposedly more “secure” management team.

Looking at longevity, total sales, and amount seized Silk Road 2.0 pales in comparison to the original. The only area Silk Road 2.0 appears to exceeded the original in was total drug listings. However, more listings did not translate into more money. To be fair to Silk Road 2.0, they clearly had more competition than the original. But I think that success is all negated when one considers they were hacked and had an undercover agent working on the inside.

Now we have news that Silk Road 3.0 has started up. Maybe someone should point out to the new Dread Pirate Roberts that this franchise appears to be a dead end. You can’t spend all those earned BTC commissions very well in prison, particularly if they end up being seized. One thing I would point out though, which kind of sends chills up my spine. Both Silk Road and 2.0, were not run by career drug dealers. They were run by tech savvy individuals, with no brick and mortar drug dealing expertise. With the kind of money being made it will not be long, if it hasn’t happened already, that a traditional drug dealer or gang will decide to go “high tech” into Tor’s marketplace. When that happens, this so called “safe” online market place will become a lot more dangerous for those involved. On that thought, I left a cigar lit somewhere.

Additional Reading

More Than 400 .Onion Addresses, Including Dozens of ‘Dark Market’ Sites, Targeted as Part of Global Enforcement Action on Tor Network

Operator of Silk Road 2.0 Website Charged in Manhattan Federal Court

Original Silk Road Complaint

Silk 2.0 Complaint

Silk Road 3.0 Opens for Business

The FBI’s Plan For The Millions Worth Of Bitcoins Seized From Silk Road

Digital Domestic Violence

“Stranger danger” has been used frequently to describe online threats, particularly those facing minors. However, one of the most serious digital dangers facing some individuals is posed by those who likely know the Internet user the best, such as a former spouse or significant other. Increasing domestic abusers are turning to technology to harass, threaten, and/or stalk their victims. This has become known as “digital domestic violence.” Use of technology to stalk or harass, has been since almost since the Internet’s inception. In the mid-1990’s, we started seeing the term “cyberstalking” and cyber harassment being coined in recognition of how individuals were using electronic communications to victimize others. Digital domestic violence (DDV) is more narrowly focused on those who use technology against a former girl/boyfriend or spouse. It can include using the Internet to:

  • Research methods and means to harass or stalk their victims;
  • Keep track and follow their victim’s movements and habits, frequently by accessing social media, either with or without global positioning information;
  • Transmitting and/or accessing computer monitoring software reports installed on victim’s computer or devices;
  • Transmit actual threats or harassment towards their victim; and
  • Facilitate the use of other technologies in DDV, such as GPS trackers, cell phone tracking, and remote video/audio surveillance.

One’s former significant other or spouse, is in a unique position to wreak digital chaos on their victim’s lives. This is because of trust. The victim at some point in the relationship likely trusted their future attacker. With trust can come access to the victim’s computer and/or mobile devices. Prior to the relationship’s termination, the offender may have searched the device, viewing browsing history, e-mails, text messages, etc. They may have also left their e-mail account or social media profile opened. This access also may have allowed the future attacker to install monitoring software unbeknownst to the victim. Monitoring software by the way is very easy to install on computers and mobile devices. It is rather inexpensive, free versions are available, and depending upon the vendor, the results can be reviewed via the Internet, without direct access to the device that it is installed on.

Even if the victim did not provide access to their devices, they may have accessed their e-mail and/or social media from their future attacker’s own device. It isn’t that uncommon for a trusting girlfriend to check on their social media profile or e-mail via their boyfriend’s lap top or computer. They might not have been completely logged off when they were done, allowing the boyfriend to gain access. Even if they did log off, depending upon the offender’s technical sophistication, the password may be able to be recovered from their system at a later date. An unsophisticated offender may have even installed monitoring software on their own computer to capture passwords of unsuspected users for later retrieval. These are not the only methods to gain access to a victim’s digital life. Other cyber-criminal’s rely on methods, such as social engineering, to get passwords. Because of trust, a future attacker, may know their victim’s passwords to e-mail accounts and social media profiles. DDV offenders unlike strangers, know their victims, their friends, their habits, their history, etc.. If they don’t know the passwords, they likely know the answers to challenge questions to reset them. They know a lot about their victims, which can be used to trick them into providing information, getting them to install a program, such as monitoring software, or unknowingly add them as an “old” school friend in their social media circle. Other DDV offenders focus at the start with more direct methods of harassment and/or threats, such as sending messages or posting on social media profiles.

Victims should make sure to print out or take screen shots of all harassing or threatening messages so they can be provided to law enforcement. These posts can be quickly dealt with by reports to law enforcement and service providers and electronically blocking the offender from sending or posting messages. However, if the DDV offender still manages to electronically get to their victim, it may be that they have gotten access to the victim’s accounts and/or installed monitoring software. At a minimum, individuals involved in a bad break up with no violence, need to change all passwords to all accounts. They should also consider removing their former partner from their social media circles or at a minimum imposing restrictions on what they can access. Additionally, it is important to turn off GPS tracking on one’s mobile devices (cell phone, I-Pads, Windows Tablets, etc.) as well as for digital cameras (Digital cameras will embed GPS coordinates in the meta-data of image files created). If it appears that their former partner is still gaining access to them or following them they may wish to either get new devices or have their old ones checked for monitoring software (this can be costly but effective). In cases where violence occurred, victims need to immediately stop using their devices until they are deemed safe and gain access to new or trusted devices. In all cases where DDV is occurring victims need to contact law enforcement and seek help from resources such as those listed below. Obviously, victims should not use an untrusted device to make these contacts as their attacker may be monitoring them. (The National Domestic Violence Hotline is 1-800-799-7233 TTY: 1-800-787-3224).

Resources

Daily Tip: How to turn off GPS geo-location for iPhone photos, protect your privacy

Digital Harassment Is the New Means of Domestic Abuse

How to Turn Off GPS on a Cell Phone

How to Turn off GPS on the iPhone

How to Turn Off Location Services on an iPad

Minnesota Center Against Violence and Abuse

National Coalition Against Domestic Violence

Privacy and Domestic Violence

Smartphone Pictures Pose Privacy Risks

The National Domestic Violence Hotline

Turn Off Your Smartphone Camera’s GPS to Protect Your Privacy

What is Digital Abuse?

Revenge Porn: 1st Amendment Issue or Crime?

Stalking and harassing people online has been a pastime of some since the Internet went public. The purpose of online harassment has always been to try and humiliate others by posting rude and offensive information about others that offend and embarrass. A new form of harassment has been coined as “Revenge Porn“, the stated intention of which is get back at former lover for some personal grievance by posting nude pictures taken consensually during the relationship. Revenge sites such as UGotPosted.com or IsAnyoneUp.com or its sister domain Revengeporn.com cater towards this activity. Some sites also have the dual purpose of being a dating site. From an investigative point of view we need to consider careful how we approach this issue due to First Amendment concerns and the general investigative issues related to online investigations.

Criminal behavior is not protected by the First Amendment. As with any crime, an investigator must have an idea of what statutes might be involved. Let’s consider the possible factors that might be present in this kind of behavior besides just a relationship gone bad. First, if one or more of the subjects in the pornographic images are a minor, the investigator is dealing with a sex crime. There are serious penalties for the person who took the image as well the one who posted it or possess it. Additionally, hosting child pornography has serious legal repercussions for any website.

Second, if the image is of an adult, was it taken without their consent, also known as video voyeurism? There are numerous laws that might be involved under such circumstances. The National District Attorneys Association has a nice breakdown by states of the possible statutes.

Third, was the pornographic image stolen from the owner? According to their indictments, Hunter Moore and Charles Evens, the evil geniuses behind IsAnyoneUp.com, were not just posting images that were submitted but were actively hacking into individual’s email accounts/cell phones to get images. What they were doing definitely violated numerous hacking statutes. It makes one wonder if there were really that many folks submitting their revenge image or were they just hacking into peoples’ accounts and just stealing them.

Fourth, was there an attempt made to blackmail or extort something of value out of victim to prevent the images from being posted? Obviously, there are laws against this kind of activity in every jurisdiction.

Fifth, does the posting fit under general harassment or more specifically under Internet harassment or cyberstalking? Is the posting part of a broader context of harassment against a person? Finally, does your jurisdiction have a statue that specifically covers this conduct? California has done just that with its new Revenge Porn law. The new law makes it a misdemeanor for individuals to take and then circulate without consent such images online with the intent to harass or annoy.   Kevin Christopher Bollaert, the man behind UGotPosted.com, found out the hard way that the California Attorney General was serious about this method of harassment when he was charged with 31 felony counts of conspiracy, identity theft and extortion.

Absent an affirmative answer to one of the above questions, the investigator may be faced with a scenario of a consensually taken picture of an adult, posted on a website without authorization. Absent the pornographic nature of the image, how many images are posted on websites without specific authorization? You get the idea. Absent a criminal statute, this could simply be considered a civil issue. Key to getting the investigation under way is to answer the following questions:

  1. How old are the individuals in the picture?;
  2. Under what circumstances were the images created (with or without consent)?; 
  3.  How securely were the images kept after being created and who purportedly has them, ie, were they stolen?; 
  4. Were the images posted with or without consent?; and 
  5. Was there a blackmail or extortion attempt made prior to the images being posted or to get them removed?

Answers to these questions will help hone the investigative process and may initially help identify possible suspects if a crime did in fact occur. It may be quite possible that no suspect is identified, such as the case of where the images were taken covertly or were stolen. It then becomes a process of identifying where the images were created and where they were posted. Also as we explained in detail in our book how some images posted online may contain metadata called Exif in the image. This could lead to some possibly useful and identifying information as to the photograph’s source. The investigator may may also have to contact the hosting website and serve legal process to obtain their cooperation.

The process gets much more difficult if the poster anonymously hides their IP address, or the website did not keep any information. If the actual file images can be obtained will they have any meta data that may provide clues to where they were created and how? Clearly, these investigations can be time consuming. Law enforcement has a role to investigate criminal acts but it also has to be prudent in how they allocate limited resources. A true revenge porn incident might be more appropriately handled by civil enforcement action taken by the wronged party.

The problem for the wronged party becomes that search engines crawl websites and frequently capture the posted images from these sites. They are maintained in their cache independent of the revenge site. Also, IsAnyoneUp.com may be down and no longer running as a revenge porn site but there is still a problem. IsAnyoneUp.com was archived by the WayBack Machine. As of the writing of this post some of the material from IsAnyoneUP.com has been removed but not all of it. The result for the victim is that the images that were offensive are now likely archived someplace else on the Internet. You also have to consider how Google and Yahoo and sites like TinEye handle these images in their databases. They have tons of images, which they have in “cache” or maintained somewhere on a server.

Additionally, what happens when the website is hosted in another country? How can you make them remove the image if the website is hosted in Russia? Civil suits can be filed against the hosting company, but extraditing individuals from another country for hosting these illegal images is almost impractical knowing that doing so for child pornography is difficult at best. Trying to get some sanctions for them for posting nude images of former boyfriends/girlfriends would be a major challenge.

The best solution is strengthen the liability and if necessary the criminal statute for someone who maintains the image on their website. There is also always the one thing we recommend that can definitely stop this issue, prevention. Simply don’t let folks take pictures of you with your clothes off! Individuals have to understand that in this day and age the picture you take today can be uploaded and posted for all the world to see in seconds and may never disappear.

PS: This piece was written by both Todd Shipley and Art Bowker

Additional Stories on Revenge Porn

Race To Stop ‘Revenge Porn’ Raises Free Speech Worries

Mom: I found my face on a ‘revenge porn’ website

Judge throws out New York “Revenge Porn” case

Intentan controlar bajo ley el ‘porno de la venganza´

Buscan poner freno al porno de la venganza

Updating Correction Agencies on Bitcoins, Tor and Silk Road

I have been a bit busy lately writing pieces for two different correction websites. In Back to Tor, Silk Road and Bitcoins I revisit the “Dark Web” for corrections and discuss a recent study that found 18% of American drug users had used Silk Road “products. In Bitcoins behind bars: Is it possible?, I explore the possibility that inmates could adopt bitcoins or some other cryptocurrency to conduct illegal enterprises from behind prison walls. Please check them out!